{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "3.1.38" } ] }, "events": [ { "introduced": "0" }, { "fixed": "cda76d7cf6952390755edd40994885bcbb16ca4a" } ], "repo": "https://github.com/wpeventmanager/wp-event-manager", "type": "GIT" } ] } ], "details": "The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.37.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.", "id": "CVE-2023-4423", "modified": "2026-04-01T23:09:27.427529383Z", "published": "2023-09-27T15:19:40.383Z", "references": [ { "type": "ADVISORY", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd9d22b0-a84a-4bf2-b8b4-89bae2970f29?source=cve" }, { "type": "FIX", "url": "https://github.com/wpeventmanager/wp-event-manager/issues/1483" }, { "type": "FIX", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2969034%40wp-event-manager%2Ftrunk\u0026old=2953169%40wp-event-manager%2Ftrunk\u0026sfp_email=\u0026sfph_mail=" }, { "type": "EVIDENCE", "url": "https://github.com/Jacky-Y/vuls/blob/main/vul5.md" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }